Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick3


  • This topic is locked This topic is locked
34 replies to this topic

#1 kokopelli2

kokopelli2

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 15 June 2006 - 06:43 PM

Been trying everything to get rid of this malware! Even used NTF4DOS and deleted the files 7 dll's but it still gets back into memory and replicates itself somehow. New version of Spysweeper seems to be keeping it from creating pop-ups now but it is still running and causing annoying performance issues.
This is my latest Hijack log. Don't see any obvious signs of it but it 's still around somewhere!

Logfile of HijackThis v1.99.1
Scan saved at 3:06:41 PM, on 6/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wdfmgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hqjnb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rlqrldi.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\gpp4l37q1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 16 June 2006 - 10:11 AM

Hello and welcome to BC. :thumbsup:

You'll need to disable the realtime scanners so that they will not interfere with the fixes:

SpySweeper:
Open Spysweeper and click on Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notification".

Norton Script Blocking

  • Start Norton Antivirus.
  • Click Options.
  • If a menu appears when you click Options, then click Norton Antivirus.
  • The Norton Antivirus Options dialog box appears.
  • Click Script Blocking.
  • Uncheck Enable Script Blocking (recommended).
  • Click OK
You can reenable them afterwards when everything is clean.

=================================

I see Viewpoint installed.
Viewpoint Manager is considered as foistware. Please read this article:
I suggest you remove the program. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

1. Viewpoint
2. Viewpoint Manager
3. Viewpoint Media Player


================================

Download
Combofix.zip by sUBs .
Unzip it to its own folder.
Read here how to unzip/extract properly.
Open the Combofix folder and doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new Hijackthis log.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 21 June 2006 - 09:05 AM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.


Topic re-opened as per pm request. June 29, 06

Edited by amateur, 29 June 2006 - 10:36 AM.


#4 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 29 June 2006 - 10:52 AM

Ran ComboFix and then HiJackThis. Also removed Viewpoint (after logs ran).

Rebooted the PC and scan now shows: Trojan-download agent, visfx, zenosearchassistant, dollarvenue, findhewebsiteyouneed hijack.

Appreciate anything you can do.
--------

ComboFix Log:
Start Time= Thu 06/29/2006 11:04:42.45

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform]
"sv1"=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{03DF038C-2518-4DF8-9D00-314CA14084FF}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{03DF038C-2518-4DF8-9D00-314CA14084FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{03DF038C-2518-4DF8-9D00-314CA14084FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{03DF038C-2518-4DF8-9D00-314CA14084FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\dlnlobby.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{79423724-357C-49D2-A39A-290DBA8A7020}]
@=""

[HKEY_CLASSES_ROOT\clsid\{79423724-357C-49D2-A39A-290DBA8A7020}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{79423724-357C-49D2-A39A-290DBA8A7020}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{79423724-357C-49D2-A39A-290DBA8A7020}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{41A9C270-057E-437E-BC7F-3BA93BBA4949}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{41A9C270-057E-437E-BC7F-3BA93BBA4949}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{41A9C270-057E-437E-BC7F-3BA93BBA4949}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{41A9C270-057E-437E-BC7F-3BA93BBA4949}\InprocServer32]
@="C:\\WINDOWS\\system32\\wrsdmoe.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{4BB76501-8683-4D06-8443-316B6D9CDB62}]
@=""

[HKEY_CLASSES_ROOT\clsid\{4BB76501-8683-4D06-8443-316B6D9CDB62}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{4BB76501-8683-4D06-8443-316B6D9CDB62}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{4BB76501-8683-4D06-8443-316B6D9CDB62}\InprocServer32]
@="C:\\WINDOWS\\system32\\vwa256.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{00E95191-9C54-41FF-B888-E883BA66B1B3}]
@=""

[HKEY_CLASSES_ROOT\clsid\{00E95191-9C54-41FF-B888-E883BA66B1B3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{00E95191-9C54-41FF-B888-E883BA66B1B3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{00E95191-9C54-41FF-B888-E883BA66B1B3}\InprocServer32]
@="C:\\WINDOWS\\system32\\snorprop.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{B34B4FF5-6E27-4B27-8D47-60A8A41B5EE4}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{B34B4FF5-6E27-4B27-8D47-60A8A41B5EE4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{B34B4FF5-6E27-4B27-8D47-60A8A41B5EE4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B34B4FF5-6E27-4B27-8D47-60A8A41B5EE4}\InprocServer32]
@="C:\\WINDOWS\\system32\\cfrtmgr.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{6A6BE8F0-D418-477D-A429-D4A32F1C376D}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{6A6BE8F0-D418-477D-A429-D4A32F1C376D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{6A6BE8F0-D418-477D-A429-D4A32F1C376D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{6A6BE8F0-D418-477D-A429-D4A32F1C376D}\InprocServer32]
@="C:\\WINDOWS\\system32\\cmbjmon.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\cfrtmgr.dll
C:\WINDOWS\SYSTEM32\cmbjmon.dll
C:\WINDOWS\SYSTEM32\cmyptsvc.dll
C:\WINDOWS\SYSTEM32\d2j0lc1m1f.dll
C:\WINDOWS\SYSTEM32\d4j02e1mgh.dll
C:\WINDOWS\SYSTEM32\dinaddr.dll
C:\WINDOWS\SYSTEM32\dnr8019ue.dll
C:\WINDOWS\SYSTEM32\dnrq0195e.dll
C:\WINDOWS\SYSTEM32\drnaddr.dll
C:\WINDOWS\SYSTEM32\e0020adoed0c0.dll
C:\WINDOWS\SYSTEM32\fdifs.dll
C:\WINDOWS\SYSTEM32\gp8ul3l91.dll
C:\WINDOWS\SYSTEM32\gplul3391.dll
C:\WINDOWS\SYSTEM32\iyetres.dll
C:\WINDOWS\SYSTEM32\mvjet40.dll
C:\WINDOWS\SYSTEM32\n04slah71d4.dll
C:\WINDOWS\SYSTEM32\o4840elqehqe0.dll
C:\WINDOWS\SYSTEM32\o4lu0e39eh.dll
C:\WINDOWS\SYSTEM32\oee32.dll
C:\WINDOWS\SYSTEM32\p46slej71ho.dll
C:\WINDOWS\SYSTEM32\r2r60c9sef.dll
C:\WINDOWS\SYSTEM32\snorprop.dll
C:\WINDOWS\SYSTEM32\spmpsnap.dll
C:\WINDOWS\SYSTEM32\vwa256.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

11:06:10.18

Qoologic uninstaller found and executed
Registry entries fixed


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Compaq_Owner\Application Data\Sskdmns.dll
C:\Documents and Settings\Compaq_Owner\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[10].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[11].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[12].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[13].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[14].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[15].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[16].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[17].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[18].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[19].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[1].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[20].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[21].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[22].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[23].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[24].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[25].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[26].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[27].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[28].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[29].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[2].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[30].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[31].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[32].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[33].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[3].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[4].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[5].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[6].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[7].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[8].ssq
C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[9].ssq


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



11:08:07.39
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\drsmartload1.exe
C:\drsmartload45l.exe
C:\drsmartload45m.exe
C:\drsmartload46l.exe
C:\drsmartload46m.exe
C:\drsmartload849l.exe
C:\drsmartload849m.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2FWLSD01\drsmartload849a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C90NARK1\drsmartload46a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C90NARK1\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZA1EPY9\defender23a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZA1EPY9\drsmartload46a[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YJ6BA76D\drsmartload45a[1].exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\MTE3NDI6ODoxNg.exe
C:\warebundle.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\warebundle.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\IA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-28 23:14:48 28672 ( A.... ) "C:\kybrdc_2.exe"
2006-06-28 20:33:00 12288 ( A.... ) "C:\runme.exe"
2006-06-28 19:47:18 12288 ( A.... ) "C:\muhahaa.exe"
2006-06-28 18:33:02 12288 ( A.... ) "C:\autoexec01.exe"
2006-06-28 11:55:04 81920 ( A.... ) "C:\dfndrc_2.exe"
2006-06-28 07:17:48 16384 ( A.... ) "C:\boot.exe"
2006-06-28 01:04:00 12288 ( A.... ) "C:\syscom.exe"
2006-06-28 01:02:48 12288 ( A.... ) "C:\syscon.exe"
2006-06-27 23:31:22 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-27 23:30:14 362496 ( A.... ) "C:\526_620.exe"
2006-06-27 23:29:44 208896 ( A.... ) "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-27 23:29:44 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-27 23:29:44 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-27 23:29:42 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-27 23:29:40 30208 ( A.... ) "C:\SS1001.exe"
2006-06-27 23:29:40 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-27 23:29:38 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-06-27 23:29:28 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-27 23:29:22 14848 ( A.... ) "C:\stub_113_4_0_4_0.exe"
2006-06-27 23:29:20 45077 ( A.... ) "C:\WINDOWS\system32\dwdsregt.exe"
2006-06-27 23:29:14 45059 ( A.... ) "C:\ZIGID003.exe"
2006-06-27 23:29:02 48190 ( A.... ) "C:\VSL02.exe"
2006-06-27 23:28:58 53248 ( A.... ) "C:\nwnmb_2.exe"
2006-06-27 23:28:30 12288 ( A.... ) "C:\installer.exe"
2006-06-27 23:15:42 12288 ( A.... ) "C:\owned.exe"
2006-06-27 16:30:52 172 ( A.... ) "C:\WINDOWS\comexec.bat"
2006-06-27 13:24:08 3209 ( A.... ) "C:\corruptfile.exe"
2006-06-26 15:01:16 24576 ( A.... ) "C:\WINDOWS\system32ssec.exe"
2006-06-26 15:01:16 24576 ( A.... ) "C:\WINDOWS\system32\ssec.exe"
2006-06-26 15:00:32 90112 ( ..... ) "C:\dfndrb_2.exe"
2006-06-26 15:00:32 57344 ( A.... ) "C:\kybrdb_2.exe"
2006-06-25 23:37:14 15872 ( A.... ) "C:\bootinit.exe"
2006-06-24 22:50:54 ( .D... ) "C:\Program Files\EngageSidebar"
2006-06-24 22:50:52 169472 ( A.... ) "C:\WINDOWS\system32\banners.exe"
2006-06-24 13:58:50 2560 ( A.... ) "C:\ac3_0003.exe"
2006-06-24 09:06:38 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-06-24 01:05:08 49152 ( A.... ) "C:\kybrd_1.exe"
2006-06-24 01:05:06 81920 ( A.... ) "C:\dfndra_1.exe"
2006-06-24 01:05:02 49152 ( A.... ) "C:\nwnm_1.exe"
2006-06-23 17:37:56 0 ( A..H. ) "C:\Program Files\Common Files\InetGet"
2006-06-21 17:25:02 2 ( A.... ) "C:\WINDOWS\system32\wnsapisv.exe"
2006-06-21 17:24:58 81920 ( A.... ) "C:\WINDOWS\system32\chkntfs.dll"
2006-06-21 17:24:58 ( .D... ) "C:\Program Files\?icrosoft"
2006-06-21 17:24:34 ( .D... ) "C:\Documents and Settings\Compaq_Owner\Application Data\?ymbols"
2006-06-21 17:20:50 11776 ( A.... ) "C:\bootcmd.exe"
2006-06-20 18:40:54 11776 ( A.... ) "C:\bootconect.exe"
2006-06-20 17:26:18 11776 ( A.... ) "C:\bootcon.exe"
2006-06-20 16:47:48 11776 ( A.... ) "C:\bootconfig.exe"
2006-06-20 16:45:56 427756 ( A.... ) "C:\bootsector.exe"
2006-06-20 16:14:02 13824 ( A.... ) "C:\WINDOWS\comserv.exe"
2006-06-20 15:31:32 105198 ( A.SH. ) "C:\WINDOWS\iexplore.exe"
2006-06-20 13:06:04 ( .D... ) "C:\Program Files\Common Files\simtest"
2006-06-20 13:06:04 ( .D... ) "C:\Program Files\Common Files\misc001"
2006-06-20 13:06:02 ( .D... ) "C:\Program Files\Common Files\svchostsys"
2006-06-20 04:06:52 298435 ( A.... ) "C:\svchost.exe"
2006-06-19 21:31:22 ( .D... ) "C:\Documents and Settings\Compaq_Owner\Application Data\Ulead Systems"
2006-06-19 21:25:56 ( .D... ) "C:\Program Files\Common Files\Ulead Systems"
2006-06-19 21:25:42 ( .D... ) "C:\Program Files\Ulead Systems"
2006-06-18 23:45:50 ( .D... ) "C:\Program Files\V6300 Digital Camera"
2006-06-15 18:39:06 131072 ( A.... ) "C:\WINDOWS\system32\mptft.exe"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-06-14 22:18:50 154 ( A.... ) "C:\WINDOWS\comfix.bat"
2006-06-14 22:01:56 403799 ( A.... ) "C:\WINDOWS\cmdmgr.exe"
2006-06-14 21:03:46 114174 ( A.... ) "C:\WINDOWS\hostsmgr.exe"
2006-06-14 20:52:14 29251 ( A.... ) "C:\WINDOWS\mc-110-12-0000488.exe"
2006-06-14 13:28:58 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-14 13:26:04 ( .D... ) "C:\Program Files\GiPo@Utilities"
2006-06-14 13:26:04 ( .D... ) "C:\Program Files\Common Files\Gibinsoft Shared"
2006-06-14 13:25:04 ( .D... ) "C:\Documents and Settings\Compaq_Owner\Application Data\TrojanHunter"
2006-06-14 13:09:10 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2006-06-14 13:09:04 ( .D... ) "C:\Program Files\TrojanHunter 4.5"
2006-06-13 20:32:54 15872 ( A.... ) "C:\WINDOWS\booterror.exe"
2006-06-13 15:01:24 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-13 15:01:24 ( .D... ) "C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla"
2006-06-13 14:35:40 3649 ( A.... ) "C:\WINDOWS\viassary-hp.reg"
2006-06-13 13:37:28 ( .D... ) "C:\Documents and Settings\Compaq_Owner\Application Data\Lavasoft"
2006-06-13 12:07:42 14337 ( A.... ) "C:\numbsoft.exe"
2006-06-12 15:09:18 10752 ( A.... ) "C:\WINDOWS\system32\Shlesb.dll"
2006-06-12 12:34:58 ( .D... ) "C:\Program Files\Common Files\mqzu"
2006-06-11 10:34:06 53248 ( ..SHR ) "C:\WINDOWS\wdfmgr.exe"
2006-06-11 00:28:42 84176 ( A.... ) "C:\Documents and Settings\Compaq_Owner\Application Data\errorsafefreeinstall[1].exe"
2006-06-10 21:02:48 ( .D... ) "C:\Program Files\Windows"
2006-06-08 13:59:00 12288 ( A.... ) "C:\alias.com"
2006-06-08 13:53:48 266240 ( A.... ) "C:\NNSCAA638.EXE"
2006-06-08 13:53:28 459490 ( A.... ) "C:\visfx500.exe"
2006-06-08 13:53:08 ( .D... ) "C:\Program Files\Snowball Wars"
2006-06-08 13:52:36 56832 ( ..SHR ) "C:\WINDOWS\smss32.exe"
2006-06-06 23:35:20 13824 ( A.... ) "C:\WINDOWS\errorfix.exe"
2006-05-29 21:08:56 108462 ( A.... ) "C:\WINDOWS\manager.exe"
2006-05-04 00:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-03-30 05:16:04 1492480 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-03-29 21:00:14 16384 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AlcxMonitor"="ALCXMNTR.EXE"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"Dit"="Dit.exe"
"Ulead Photo Express Calendar Checker"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 5 SE\\calcheck.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"Hhl7RfpJ"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Srro"="\"C:\\DOCUME~1\\COMPAQ~1\\APPLIC~1\\YMBOLS~1\\fast.exe\" -vt yazr"
"Kfi"="C:\\PROGRA~1\\ICROSO~1\\NTEPAD~1.EXE"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Srro"="\"C:\\WINDOWS\\FNTS~1\\arpa.exe\" -vt yazr"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Srro"="\"C:\\WINDOWS\\FNTS~1\\arpa.exe\" -vt yazr"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpySubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\SpySubtract.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPYSUB~1\\sslaunch.exe -autostart"
"item"="SpySubtract"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPBootOp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsburnwatcher"
"hkey"="HKLM"
"command"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32"
"hkey"="HKLM"
"command"="Rundll32.exe SiSPower.dll,ModeAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job

Completion time: Thu 06/29/2006 11:08:15.82
ComboFix ver 06.06.15 - This logfile is located at C:\ComboFix.txt

---------------------
HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:14 AM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wdfmgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ICROSO~1\NTEPAD~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\COMPAQ~1\APPLIC~1\YMBOLS~1\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Kfi] C:\PROGRA~1\ICROSO~1\NTEPAD~1.EXE
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service:

#5 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 29 June 2006 - 01:56 PM

Have run some more scans with Norton A/V, Spysweeper and TrojanHunter. Here is latest HijackThis log. The system seems to be clean now but need 2nd opinion. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:01 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wdfmgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
C:\Program Files\MTV Networks\VOpt\MTVOptQueue.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 29 June 2006 - 02:11 PM

The system seems to be clean now

Sorry, but it's not clean yet. I am working on your log now. I'll get back to you when I have my instructions ready. There is still quite a lot going in there.

#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 29 June 2006 - 03:34 PM

Please print the following instructions so that you'll have access to them at all times. Read them carefully and follow them in the order they are presented.

Before we begin, you'll need to disable realtime scanners temporarily so that they will not interfere with the fixes.

To disable SpySweeper:

Open Spysweeper and click on Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notification".

To disable Trojan Hunter:
Please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck "Load at startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.

To disable Norton Script Blocking
  • Start Norton Antivirus.
  • Click Options.
  • If a menu appears when you click Options, then click Norton Antivirus.
  • The Norton Antivirus Options dialog box appears.
  • Click Script Blocking.
  • Uncheck Enable Script Blocking (recommended).
  • Click OK
=================================================

Go to start > controlpanel > add/remove programs and remove/uninstall the following, if present:

Forethought
Quicklinks
Party Poker
EngageSidebar
Surfsidekick
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN is not listed, download and run this uninstaller.

Reboot when done! Really important!

==================================================

Download and install Ewido Antimalware 4.0 .
  • Open Ewido AntiMalware
  • Go to Status menu
  • Click change status on Resident shield to inactive Under "Your computers Security"
Update but Do not scan with it yet.

==================================================

Download Killbox by Option^Explicit and save it to your desktop.

==================================================

Please download Ccleaner and save it to your desktop. Do not use it yet.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

===================================================

Download AlcanShorty .
  • Click the download button and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder
  • doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup
  • press OK.
  • Press exit to terminate the BFU program.
==================================================
  • Close all open Explorer windows and browsers/email, etc
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When completed, close the application.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - (no file)


==================================================

Double-click on Killbox.exe to run it.
Click on Tools>Delete Temp Files
Check Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file.

C:\Documents and Settings\Compaq_Owner\Application Data\Sskdmns.dll
C:\Documents and Settings\Compaq_Owner\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Compaq_Owner\Application Data\errorsafefreeinstall[1].exe
C:\kybrdc_2.exe
C:\runme.exe
C:\muhahaa.exe
C:\autoexec01.exe
C:\dfndrc_2.exe"
C:\boot.exe
C:\syscom.exe
C:\syscon.exe
C:\stub_sca3.exe
C:\526_620.exe
C:\SS1001.exe
C:\wd7gi8n.exe
C:\stub_113_4_0_4_0.exe
C:\ZIGID003.exe
C:\VSL02.exe
C:\nwnmb_2.exe
C:\installer.exe
C:\owned.exe
C:\corruptfile.exe
C:\dfndrb_2.exe
C:\kybrdb_2.exe
C:\bootinit.exe
C:\ac3_0003.exe
C:\kybrd_1.exe
C:\dfndra_1.exe
C:\nwnm_1.exe
C:\bootcmd.exe
C:\bootconect.exe
C:\bootcon.exe
C:\bootconfig.exe
C:\bootsector.exe
C:\svchost.exe
C:\numbsoft.exe
C:\alias.com
C:\NNSCAA638.EXE
C:\visfx500.exe

C:\WINDOWS\comfix.bat
C:\WINDOWS\cmdmgr.exe
C:\WINDOWS\hostsmgr.exe
C:\WINDOWS\mc-110-12-0000488.exe
C:\WINDOWS\booterror.exe
C:\WINDOWS\comserv.exe
C:\WINDOWS\iexplore.exe <======
This is not the legitimate iexplore.exe which runs from the Programs directory.
C:\WINDOWS\smss32.exe
C:\WINDOWS\errorfix.exe
C:\WINDOWS\manager.exe
C:\WINDOWS\comexec.bat
C:\WINDOWS\system32tfthot.exe
C:\WINDOWS\system32ftuninst.exe
C:\WINDOWS\system32ssec.exe

C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\system32\gbe90qs.exe
C:\WINDOWS\system32\ftuninst.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\banners.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32\chkntfs.dll
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\Shlesb.dll
C:\WINDOWS\system32\xpsp3res.dll
C:\WINDOWS\system32\streamhlp.dll


It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

=============================================

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

===================================================

Using Windows Explorer, locate the following folders and delete them, if exist.

C:\Documents and Settings\Compaq_Owner\Application Data\?ymbols
C:\Program Files\EngageSidebar
C:\Program Files\?icrosoft <============ This has nothing to do with legitimate Microsoft. Notice the spelling. The first letter is probably in Cyrillic, HJT cannot read it, thus the ?
C:\Program Files\Common Files\mqzu
C:\Program Files\Windows <============Notice the location of the folder, it's in Program Files.
C:\Program Files\Snowball Wars
C:\\Program Files\\Viewpoint
C:\Program Files\EngageSidebar
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\svchostsys
C:\Program Files\Common Files\partypoker
C:\Program Files\Common Files\InetGet

=============================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

==============================================

From Safe Mode Run Ewido AntiMalware
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine
  • Then click Apply all actions
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop
NOTE: Ewido scan may need an hour.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel

==============================================

Reboot in Normal Mode

==============================================

You are running an old vulnerable version of Java.
  • Go to Start > Control Panel > Add/Remove Programs.
  • Search for all previous installed versions of Java. (J2SE Runtime Environment.... ) and delete them.
  • It/they should have this icon next to it/them: Posted Image
  • Then download and install the newest version. 1.5.07 from here.
=============================================

Post back please:

a fresh HijackThis log
Ewido log

Edited by amateur, 29 June 2006 - 09:40 PM.


#8 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 29 June 2006 - 11:28 PM

Followed the steps. Only issue was when I used Killbox on the c:\svchost.exe entry, it caused a reboot. Brought machine up in safe mode and completed the steps.

Still seem to be issues. When I rebooted in normal mode with the scanners off, I began to get pop-ups.

Logs follow:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:02:10 AM 6/30/2006

+ Scan result:



C:\!KillBox\Shlesb.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Ldresb\Ldresb.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\IA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\IA\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZA1EPY9\Installer[2].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fasres.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fdsroute.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fgst30.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\warebundle.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
[216] C:\WINDOWS\system32\SzSHook.dll -> Adware.Look2Me : Error during cleaning.
[744] C:\WINDOWS\system32\fgst30.dll -> Adware.Look2Me : Error during cleaning.
[800] C:\WINDOWS\system32\fdsroute.dll -> Adware.Look2Me : Error during cleaning.
[852] C:\WINDOWS\system32\fasres.dll -> Adware.Look2Me : Error during cleaning.
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\!KillBox\smss32.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\WINDOWS\wdfmgr.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\!KillBox\alias.com -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\!KillBox\booterror.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\!KillBox\bootinit.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\!KillBox\svchost.exe/booterror.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2FWLSD01\drsmartload45a[1].exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\drsmartload45n.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C90NARK1\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\!KillBox\bootcon.exe -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\!KillBox\bootconect.exe -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\!KillBox\bootconfig.exe -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\boot.pif -> Downloader.VB.afe : Cleaned with backup (quarantined).
C:\!KillBox\dfndrc_2.exe -> Downloader.VB.afv : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C90NARK1\dfndrc_2[1].exe -> Downloader.VB.afv : Cleaned with backup (quarantined).
C:\!KillBox\numbsoft.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1rwfu1v4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\2bicrn66.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\!KillBox\ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\!KillBox\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).


::Report end

---------------

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:21 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [newname] c:\\nwnmc_2.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrc_2.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdc_2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\dlusic.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\SzSHook.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\skrialui.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\SzSHook.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\skrialui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 30 June 2006 - 08:21 AM

Hello,
You seem to be re-infected. :thumbsup: Are you on a network? Are there other users on this computer? OR, is this a different log?
There is a considerable decrease in the number of running processes in the last log. Did you do anything, or was the log taken from Safe Mode?

It's important that you follow these instructions in the same order they are given here without missing any.

Make sure that your realtime scanners are disabled.

To disable SpySweeper:

Open Spysweeper and click on Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notification".

To disable Trojan Hunter:
Please go to TrojanHunter Guard in the lower right corner of your screen. It is a lightblue icon with a magnifying glass that can be difficult to see but the handle is red. Right click it and select settings. Uncheck "Load at startup" and "Enabled". Make sure that the program, TrojanHunter itself, is also closed/not running.

To disable Norton Script Blocking

Start Norton Antivirus.
Click Options.
If a menu appears when you click Options, then click Norton Antivirus.
The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK

Ewido shield

Check and make sure that "Resident Shield" is "inactive

=========================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

=========================================

Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX[/QUOTE]

===============================

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

=================================
  • Close all open Explorer windows and browsers/email, etc
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When completed, close the application.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [newname] c:\\nwnmc_2.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrc_2.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdc_2.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


==================================

Now Click Start>> Run>> Type in Services.msc and Click OK!

Sroll that list and locate the following service. When you find it right click on it and Select "Properties">> Click "Stop">> Go up and Change the "Startup Type" to "Disabled"

Network Monitor

Now Click Start>> Run>> Copy&Paste the command below into the Open box, and Click OK! If you get an error message ignore it and go to the next line.

sc delete Network Monitor

================================
Still in Safe Mode, using Windows Explorer, locate and delete the following files:

c:\\nwnmc_2.exe
c:\\dfndrc_2.exe
c:\\kybrdc_2.exe

==================================

run ccleaner

==================================

run ewido again

==================================

Reboot in Normal Mode

==================================

Please perform this online scan:-
F-Secure Online Scanner Next Generation Beta
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.

==================================

Post back:

Look2Me-Destroyer.txt
Ewido log
F-Secure scan results
a Fresh HijackThis log
L

Edited by amateur, 30 June 2006 - 12:31 PM.


#10 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 30 June 2006 - 12:05 PM

Here is the L2M Destroyer log:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/30/2006 12:48:13 PM

Infected! C:\WINDOWS\system32\k080lalm1dqa.dll
Infected! C:\WINDOWS\system32\SzSHook.dll
Infected! C:\WINDOWS\system32\skrialui.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP297\A0107311.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107363.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107385.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107417.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107422.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108415.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108421.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108433.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108434.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108459.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108570.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108571.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108592.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108593.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108594.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108595.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108613.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108622.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108623.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108628.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108629.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108634.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108658.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108660.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108662.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108681.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108682.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108705.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108706.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0109704.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110727.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110728.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110965.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110966.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110981.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110995.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110999.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111012.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111042.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111047.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111072.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111087.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111096.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111141.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111153.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111157.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111187.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111203.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111207.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111227.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111234.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111262.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111267.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111279.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111281.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111293.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111294.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111328.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111329.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111343.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0112347.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112366.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112372.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112380.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112387.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112392.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112396.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112405.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112409.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112428.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112432.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112462.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112468.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0113466.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0114467.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114493.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114499.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114522.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114547.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114552.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114566.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114572.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114581.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114588.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114644.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114649.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114684.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114691.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115688.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115725.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0115761.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116828.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116834.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116873.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116874.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0117885.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117927.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117932.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117989.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0118989.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0119990.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120029.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120036.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120045.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120050.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0121051.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122064.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122069.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122086.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122090.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122093.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122179.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122180.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122181.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122182.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122183.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122184.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122185.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122186.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122187.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122188.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122189.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122190.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122191.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122192.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122193.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122194.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122195.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122196.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122197.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122198.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122199.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122200.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122201.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122202.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124540.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124541.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124542.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124558.dll
Infected! C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124572.dll
Infected! C:\WINDOWS\system32\hfpertrm.dll
Infected! C:\WINDOWS\system32\j4n2le5o1h.dll
Infected! C:\WINDOWS\system32\k080lalm1dqa.dll
Infected! C:\WINDOWS\system32\n2r20c9oef.dll
Infected! C:\WINDOWS\system32\o4lu0e39eh.dll
Infected! C:\WINDOWS\system32\o6840glqe6qe0.dll
Infected! C:\WINDOWS\system32\rzhx32.dll
Infected! C:\WINDOWS\system32\taolhelp.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k080lalm1dqa.dll
C:\WINDOWS\system32\k080lalm1dqa.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP297\A0107311.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP297\A0107311.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107363.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107363.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107385.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107385.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107417.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107417.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107422.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0107422.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108415.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108415.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108421.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108421.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108433.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108433.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108434.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108434.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108459.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108459.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108570.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108570.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108571.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108571.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108592.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108592.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108593.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108593.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108594.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108594.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108595.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108595.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108613.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108613.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108622.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108622.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108623.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108623.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108628.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108628.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108629.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108629.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108634.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108634.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108658.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108658.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108660.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108660.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108662.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108662.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108681.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108681.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108682.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108682.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108705.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108705.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108706.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP298\A0108706.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0109704.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0109704.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110727.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110727.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110728.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP299\A0110728.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110965.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110965.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110966.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110966.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110981.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110981.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110995.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110995.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110999.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0110999.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111012.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111012.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111042.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111042.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111047.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111047.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111072.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111072.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111087.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111087.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111096.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111096.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111141.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111141.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111153.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111153.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111157.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111157.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111187.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111187.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111203.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111203.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111207.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP300\A0111207.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111227.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111227.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111234.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111234.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111262.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111262.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111267.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP301\A0111267.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111279.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111279.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111281.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111281.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111293.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111293.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111294.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0111294.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111328.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111328.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111329.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111329.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111343.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0111343.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0112347.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP303\A0112347.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112366.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112366.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112372.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112372.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112380.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112380.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112387.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112387.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112392.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112392.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112396.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112396.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112405.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112405.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112409.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP305\A0112409.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112428.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112428.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112432.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112432.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112462.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112462.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112468.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0112468.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0113466.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0113466.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0114467.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP307\A0114467.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114493.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114493.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114499.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114499.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114522.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP308\A0114522.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114547.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114547.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114552.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114552.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114566.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114566.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114572.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP309\A0114572.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114581.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114581.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114588.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114588.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114644.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114644.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114649.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP310\A0114649.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114684.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114684.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114691.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0114691.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115688.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115688.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115725.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP311\A0115725.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0115761.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0115761.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116828.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116828.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116834.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP312\A0116834.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116873.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116873.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116874.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0116874.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0117885.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP313\A0117885.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117927.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117927.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117932.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117989.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0117989.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0118989.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0118989.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0119990.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0119990.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120029.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120029.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120036.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120036.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120045.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120045.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120050.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP314\A0120050.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0121051.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0121051.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122064.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122064.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122069.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122069.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122086.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122090.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122090.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122093.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122093.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122179.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122179.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122180.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122180.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122181.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122181.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122182.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122182.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122183.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122183.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122184.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122184.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122185.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122185.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122186.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122186.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122187.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122187.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122188.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122188.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122189.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122189.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122190.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122190.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122191.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122191.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122192.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122192.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122193.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122193.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122194.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122194.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122195.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122195.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122196.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122196.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122197.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122197.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122198.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122198.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122199.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122199.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122200.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122200.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122201.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122201.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122202.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP315\A0122202.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124540.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124540.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124541.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124541.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124542.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124542.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124558.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124558.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124572.dll
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP316\A0124572.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hfpertrm.dll
C:\WINDOWS\system32\hfpertrm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j4n2le5o1h.dll
C:\WINDOWS\system32\j4n2le5o1h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k080lalm1dqa.dll
C:\WINDOWS\system32\k080lalm1dqa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n2r20c9oef.dll
C:\WINDOWS\system32\n2r20c9oef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o4lu0e39eh.dll
C:\WINDOWS\system32\o4lu0e39eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o6840glqe6qe0.dll
C:\WINDOWS\system32\o6840glqe6qe0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rzhx32.dll
C:\WINDOWS\system32\rzhx32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\taolhelp.dll
C:\WINDOWS\system32\taolhelp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8EE2FF75-B950-4CDB-875F-E523527AC736}"
HKCR\Clsid\{8EE2FF75-B950-4CDB-875F-E523527AC736}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5C81CC76-5E2C-4DA1-8686-E3CAC107F7A1}"
HKCR\Clsid\{5C81CC76-5E2C-4DA1-8686-E3CAC107F7A1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B4A618C8-5CDF-407C-B510-D2EF1430C74C}"
HKCR\Clsid\{B4A618C8-5CDF-407C-B510-D2EF1430C74C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B1E050E4-8D3D-4A2C-BAAC-B2878293C590}"
HKCR\Clsid\{B1E050E4-8D3D-4A2C-BAAC-B2878293C590}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7A259F9-286F-4C11-A8EF-228DD4AE70FA}"
HKCR\Clsid\{F7A259F9-286F-4C11-A8EF-228DD4AE70FA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7DB6F432-7AD9-4D63-BCCA-93E427364B5D}"
HKCR\Clsid\{7DB6F432-7AD9-4D63-BCCA-93E427364B5D}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

>>>>>>>>> Next steps and results to follow.......

#11 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 30 June 2006 - 02:09 PM

Ran remaining steps up to F-Secure scan (running now). After runnning HiJack, I went into control panel to remove some other unwanted programs and noticed "Command Service" installed. When I tried to remove it it attempted to access a script online (the network was unplugged). I used the services panel to disable the service and removed the WINDOWS\IA\ directory that it was running from. I also emptied out the Windows prefetch directory then rebooted into normal mode to start the F-Secure scan (log to follow this post)...


Ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:09:38 PM 6/30/2006

+ Scan result:



C:\WINDOWS\IA\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\IA\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\warebundle.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\Documents and Settings\Compaq_Owner\Desktop\backups\backup-20060630-131018-915.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\SurfSideKick 3\Ssk3RepairInstall.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Uninstall Information\horehoc.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\626_101.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\SS1001.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINDOWS\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).


::Report end

HiJack Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:06:11 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrc_2.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdc_2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 30 June 2006 - 02:33 PM

It looks like this HijackThis log was taken from Safe Mode. Please reboot in Normal Mode. Scan with HijackThis and post the fresh HijackThis log.

Also, open Ccleaner and go to Tools>Uninstall tab. Click on Save text to file. Post the contents of that text in your next reply. Thank you.

Edited by amateur, 30 June 2006 - 02:40 PM.


#13 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 30 June 2006 - 03:52 PM

F-secure scan ran for about an hour and found 154 items. Cleaned 150 before it locked up. Had to cancel it but it still produced a report (below):

Scanning Report
Friday, June 30, 2006 15:27:56 - 16:38:41

Computer name: TERPSTRA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 154 malware found
Adware.Director (spyware)

* System

Adware.Look2Me (spyware)

* System

Backdoor.Win32.SdBot.aev (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5ECA1FA2.EXE (Renamed & Submitted)

Backdoor.Win32.SdBot.xd (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07F13811.COM (Renamed & Submitted)

Multidrp.JD (virus)

* C:\VSL02.EXE

Possible Browser Hijack attempt (spyware)

* System

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System (Submitted)

Trojan-Clicker.Win32.Small.jf (virus)

* C:\PROGRAM FILES\MICROSOFT FRONTPAGE\KYZET.HTML (Renamed)

Trojan-Clicker.Win32.VB.fc (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07F41F30.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07F7492D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\133306EA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\39A37EC2.EXE (Renamed & Submitted)
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CZA1EPY9\NWNMB_2[1].EXE (Renamed & Submitted)
* C:\!KILLBOX\NWNMB_2.EXE (Renamed)

Trojan-Clicker.Win32.VB.ij (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\336B0FB0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C007C9C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6057275A.EXE (Renamed & Submitted)

Trojan-Downloader.MSIL.Agent.a (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07304457.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F0B74B1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3EE47308.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Adload.bo (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02A84166.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\11344BFA.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\56FC29F9.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Adload.bv (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02A5176A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A37608F.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Adload.bx (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02A16D6D.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Adload.ch (virus)

* C:\DEBUG.PIF (Renamed)
* C:\MSDOS.PIF (Renamed)
* C:\NTCC.PIF (Renamed)

Trojan-Downloader.Win32.Adload.ck (virus)

* C:\DRSMARTLOAD46N.EXE (Renamed & Submitted)
* C:\DRSMARTLOAD849N.EXE (Renamed & Submitted)
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CZA1EPY9\DRSMARTLOAD849A[1].EXE (Renamed)
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2FWLSD01\DRSMARTLOAD46A[1].EXE (Renamed)

Trojan-Downloader.Win32.Agent.agw (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02A16D6D.DLL (Renamed & Submitted)

Trojan-Downloader.Win32.PurityScan.cq (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\028E7183.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\344B75FD.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Qoologic.at (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02B81354.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\33E57FF6.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63AC2D40.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Qoologic.bj (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1CC407F8.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Qoologic.c (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\337F09EE.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.buy (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02C96542.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02CC0F3F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\569633F1.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Small.cpu (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\057A4A39.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\05A81607.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14A90472.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\163A7995.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F4217A5.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\23E46541.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\24794B54.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2B673A48.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\376A3314.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3C5C0391.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EA044A8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59010E19.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5AB70837.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5BFB7BF6.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.TSUpdate.o (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02D93730.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4E4B374D.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.abm (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02CF393B.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.adw (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\029E4371.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.afo (virus)

* C:\INSTALL.EXE (Renamed)
* C:\MSAPPS.PIF (Renamed)
* C:\RUNMEE.EXE (Renamed)
* C:\RUNSET.EXE (Renamed)
* C:\RUNST.EXE (Renamed)
* C:\RUNSTD.EXE (Renamed)
* C:\RUNSTD0.EXE (Renamed)
* C:\RUNSTD1.EXE (Renamed)
* C:\!KILLBOX\AUTOEXEC01.EXE (Renamed)
* C:\!KILLBOX\MUHAHAA.EXE (Renamed)
* C:\!KILLBOX\OWNED.EXE (Renamed)
* C:\!KILLBOX\RUNME.EXE (Renamed)
* C:\!KILLBOX\SYSCOM.EXE (Renamed)
* C:\!KILLBOX\SYSCON.EXE (Renamed)

Trojan-Downloader.Win32.VB.afv (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06DC5D40.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4F7F7A77.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\52B324F1.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.agi (virus)

* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CZA1EPY9\KYBRDC_2[1].EXE (Renamed & Submitted)

Trojan-Downloader.Win32.VB.nw (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\336F39AD.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C065095.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\605A5156.EXE (Renamed)

Trojan-Dropper.Win32.Agent.hl (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\00622A68.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\00B7252D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\044F2E15.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06587145.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\06DE2AB1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07E6738E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\07E923DD.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\09034639.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14C67E51.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14DD2438.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\14E04E35.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\16374F99.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\16414D8E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\164A4B83.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\16511F7C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A677028.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A716E1D.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A774216.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1EFA7BF4.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F5F1184.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1F870959.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2054145F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2483494A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\248D473F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2490713B.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2AD12EED.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2B6D0E40.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2B770C36.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2B7E602F.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2C8D0FD7.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\31BD09A7.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\33B32B61.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\37660917.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\37743109.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\44133200.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\493377B0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4971156C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4C097A92.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EA9429E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\4EAD6C9A.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\52DD46C2.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\554B7261.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\55FE73EB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\58F46627.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\590B0C0E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59150A03.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\591B5DFC.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5AB0343E.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5ABA3233.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5ABD5C30.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5AC1062C.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5AEA2479.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5C0479EB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5C0823E8.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\60045E49.EXE (Renamed)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\637877A1.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63F75D15.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6D9814FB.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\78460AC0.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7B2852B7.EXE (Renamed & Submitted)

Trojan-Dropper.Win32.Small.qn (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02D60D34.EXE (Renamed & Submitted)
* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\27EE4DEF.EXE (Renamed & Submitted)

Trojan-Dropper.Win32.VB.mz (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7F6B5CC1.EXE (Renamed & Submitted)

Trojan.Win32.StartPage.aju (virus)

* C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\02BB3D51.EXE (Renamed & Submitted)

W32/Downloader (virus)

* C:\!KILLBOX\AC3_0003.EXE

W32/Smalldrp.IQK (virus)

* C:\!KILLBOX\VISFX500.EXE (Submitted)

Statistics
Scanned:

* Files: 28122
* System: 4560
* Not scanned: 4

Actions:

* Disinfected: 1
* Renamed: 142
* Deleted: 0
* None: 11
* Submitted: 117

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-06-30
* F-Secure Libra: 2.4.1, 2006-06-30
* F-Secure Orion: 1.2.37, 2006-06-30
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Pegasus: 1.19.0, 2006-05-13
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

------------------------------

Hijack log: (normal mode):

Logfile of HijackThis v1.99.1
Scan saved at 4:40:43 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Logon Service (NetLgn) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------

Note: Still getting popups galore.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:55 AM

Posted 30 June 2006 - 04:16 PM

Also, open Ccleaner and go to Tools>Uninstall tab. Click on Save text to file. Post the contents of that text in your next reply. Thank you.



#15 kokopelli2

kokopelli2
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 30 June 2006 - 04:38 PM

Ran Ccleaner (results attached). Also ran SpySweeper sweep and it still found 157 traces. I'm just about ready to wipe this PC clean and start over.....

Adobe Acrobat - Reader 6.0.2 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Toolbar 2.0
AOL You've Got Pictures Screensaver
Blackhawk Striker 2 from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blasterball 2 Holidays from Compaq (remove only)
Blasterball 2 Remix from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
BufferChm
CameraDrivers
ccCommon
CCleaner (remove only)
Command
Compaq Connections
Compaq Organize
CreativeProjectsTemplates
CreativeProjects
Crystal Maze from Compaq (remove only)
CueTour
Destinations
Director
easy Internet sign-up
ewido anti-spyware 4.0
Final Drive Nitro from Compaq (remove only)
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
Help and Support Additions
HijackThis 1.99.1
HP Boot Optimizer
HP Deskjet 3840
HP Help and Support 4.0
HP Image Zone 4.5
HP Photosmart Cameras 4.5
HP Product Assistant
HP Software Update
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Internet Worm Protection
InterVideo WinDVD Player
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0
Lexibox Deluxe from Compaq (remove only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Livewire Instant Messenger
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Mozilla Firefox (1.5)
MSN
MTV Networks Video Optimizer
Multi-Card Reader/Writer
Network Monitor
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus 2005
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Overball from Compaq (remove only)
PanoStandAlone
PC-Doctor for Windows
Phoenix Assault from Compaq (remove only)
PhotoGallery
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
PS2
Pure Networks Port Magic
QFolder
QuickTime
RealPlayer Basic
Remove Adobe Photoshop Album 2.0 Starter Edition installer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Remove WeatherBug installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Shooting Stars Pool from Compaq (remove only)
SiS VGA Utilities
SkinsHP1
Slyder from Compaq (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
Spy Sweeper
Spybot - Search & Destroy 1.4
Super Granny from Compaq (remove only)
Symantec Network Drivers Update
Symantec Script Blocking Installer
Symantec
SymNet
Tradewinds from Compaq (remove only)
TrayApp
TrojanHunter 4.5
Ulead Photo Explorer 8.0 SE Basic
Ulead Photo Express 5 SE
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
V6300 Digital Camera Driver
Web Nexus Network
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users